switch to singpolyma/openpgp-php
DanielRuf opened this issue · 9 comments
I highly recommend https://github.com/singpolyma/openpgp-php as there are many security related issues in php-gpg (ECB mode for example instead of CBC).
Do you have a recommended primer on what the issues with ECB mode are?
I do intend to take your suggestion, I'm just wondering if you know of a good resource for me to improve my own understanding of the issue.
@DanielRuf I have tried to follow the examples from singpolyma/openpgp-php, but these did not work for me. The resulting message seems to "encrypt" but I am not able to decrypt the resulting ASCII text. You can see the encryption routine I am using here on line 437. Do you see something I am doing wrong?
Just google for ECB penguin ;-)
:) Ah, thanks.
Just some personal opinion, it would be better to increase the minor version as the features have changed (still backwards compatible with old codes using the methods in your WP_PGP_Encrypted_Emails class) so it would be 0.2.0 instead of 0.1.2 as defined in the SemVer specification ;-)
But just my two cents. Great to see actual PGP / GnuPG implementations for WordPress, very useful =)
:) Okay, but from an end-user's perspective, the features have not changed, so is a patch level change not more appropriate? Especially as, again from the end-user's perspective, the thing being done is a "fix" of the weaker security?
When it comes to the end user, you are right =) I am just thinking as a developer and as developer I would use your plugin and this change would add more features which are not yet directly available as own method in your namespace but independent as phpseclib and openpgp-php methods. I would like to see other plugins who would also use this plugin or others instead of reinventing the wheel always (it feels like this, other CMS use existing extensions / plugins / modules as dependency) =)
Great that you contribute this plugin to the WordPress community which makes it easier to send encrypted mails (the other plugins still use insecure and outdated libraries) using your class and its methods, will recommend it to some friends which are also part of the WordPress community =)
I am just thinking as a developer and as developer I would use your plugin and this change would add more features which are not yet directly available as own method in your namespace but independent as phpseclib and openpgp-php methods.
Ah, yes, but since they are still independent methods and no new methods that I am responsible for were added, I think I am still okay with respect to SemVer spec item 7. :)
But that said, clearly there is an opportunity to provide some useful WordPress plugin hooks to other plugins or WordPress themes now that OpenPGP-PHP and phpseclib were successfully integrated into this plugin.
Perhaps a openpgp_encrypt_content action hook that wraps OpenPGP_Crypt_Symmetric::encrypt() so other plugins can safely call these methods through familiar WordPress APIs?
Perhaps a openpgp_encrypt_content action hook that wraps OpenPGP_Crypt_Symmetric::encrypt() so other plugins can safely call these methods through familiar WordPress APIs?
This would be definitely very useful and open new possibilities for sure. I would say yes, add some hook like this and the WordPress community has a stable PGP implementation for developers and users at the same time which will prevent using insecure and incomplete libraries.